use of org.keycloak.authorization.client.AuthzClient in project keycloak by keycloak.
the class EntitlementAPITest method testServerDecisionStrategy.
@Test
public void testServerDecisionStrategy() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName(KeycloakModelUtils.generateId());
resource.addScope("read", "write", "delete");
try (Response response = authorization.resources().create(resource)) {
resource = response.readEntity(ResourceRepresentation.class);
}
JSPolicyRepresentation grantPolicy = new JSPolicyRepresentation();
grantPolicy.setName(KeycloakModelUtils.generateId());
grantPolicy.setCode("$evaluation.grant();");
authorization.policies().js().create(grantPolicy).close();
JSPolicyRepresentation denyPolicy = new JSPolicyRepresentation();
denyPolicy.setName(KeycloakModelUtils.generateId());
denyPolicy.setCode("$evaluation.deny();");
authorization.policies().js().create(denyPolicy).close();
ResourcePermissionRepresentation resourcePermission = new ResourcePermissionRepresentation();
resourcePermission.setName(KeycloakModelUtils.generateId());
resourcePermission.addResource(resource.getId());
resourcePermission.addPolicy(denyPolicy.getName());
authorization.permissions().resource().create(resourcePermission).close();
ScopePermissionRepresentation scopePermission1 = new ScopePermissionRepresentation();
scopePermission1.setName(KeycloakModelUtils.generateId());
scopePermission1.addScope("read");
scopePermission1.addPolicy(grantPolicy.getName());
ScopePermissionsResource scopePermissions = authorization.permissions().scope();
scopePermissions.create(scopePermission1).close();
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(resource.getName());
try {
authzClient.authorization(accessToken).authorize(request);
fail("kolo can not access the resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
ResourceServerRepresentation settings = authorization.getSettings();
settings.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
authorization.update(settings);
assertPermissions(authzClient, accessToken, request, resource, "read");
scopePermission1 = scopePermissions.findByName(scopePermission1.getName());
scopePermission1.addScope("read", "delete");
scopePermissions.findById(scopePermission1.getId()).update(scopePermission1);
assertPermissions(authzClient, accessToken, request, resource, "read", "delete");
ScopePermissionRepresentation scopePermission2 = new ScopePermissionRepresentation();
scopePermission2.setName(KeycloakModelUtils.generateId());
scopePermission2.addScope("write");
scopePermission2.addPolicy(grantPolicy.getName());
scopePermissions.create(scopePermission2).close();
assertPermissions(authzClient, accessToken, request, resource, "read", "delete", "write");
ScopePermissionRepresentation scopePermission3 = new ScopePermissionRepresentation();
scopePermission3.setName(KeycloakModelUtils.generateId());
scopePermission3.addResource(resource.getId());
scopePermission3.addScope("write", "read", "delete");
scopePermission3.addPolicy(grantPolicy.getName());
scopePermissions.create(scopePermission3).close();
assertPermissions(authzClient, accessToken, request, resource, "read", "delete", "write");
scopePermission2 = scopePermissions.findByName(scopePermission2.getName());
scopePermissions.findById(scopePermission2.getId()).remove();
assertPermissions(authzClient, accessToken, request, resource, "read", "delete", "write");
scopePermission1 = scopePermissions.findByName(scopePermission1.getName());
scopePermissions.findById(scopePermission1.getId()).remove();
assertPermissions(authzClient, accessToken, request, resource, "read", "delete", "write");
scopePermission3 = scopePermissions.findByName(scopePermission3.getName());
scopePermission3.addScope("write", "delete");
scopePermissions.findById(scopePermission3.getId()).update(scopePermission3);
assertPermissions(authzClient, accessToken, request, resource, "delete", "write");
scopePermissions.findById(scopePermission3.getId()).remove();
try {
authzClient.authorization(accessToken).authorize(request);
fail("kolo can not access the resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
ResourcePermissionRepresentation grantResourcePermission = new ResourcePermissionRepresentation();
grantResourcePermission.setName(KeycloakModelUtils.generateId());
grantResourcePermission.addResource(resource.getId());
grantResourcePermission.addPolicy(grantPolicy.getName());
authorization.permissions().resource().create(grantResourcePermission).close();
assertPermissions(authzClient, accessToken, request, resource, "read", "delete", "write");
settings.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
authorization.update(settings);
try {
authzClient.authorization(accessToken).authorize(request);
fail("kolo can not access the resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
}
use of org.keycloak.authorization.client.AuthzClient in project keycloak by keycloak.
the class EntitlementAPITest method testOfflineRequestingPartyToken.
@Test
public void testOfflineRequestingPartyToken() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName(KeycloakModelUtils.generateId());
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("Sensors");
resource.addScope("sensors:view", "sensors:update", "sensors:delete");
try (Response response = authorization.resources().create(resource)) {
resource = response.readEntity(ResourceRepresentation.class);
}
ScopePermissionRepresentation permission = new ScopePermissionRepresentation();
permission.setName("View Sensor");
permission.addScope("sensors:view");
permission.addPolicy(policy.getName());
authorization.permissions().scope().create(permission).close();
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).scope("offline_access").doGrantAccessTokenRequest("secret", "offlineuser", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AccessTokenResponse response = authzClient.authorization(accessToken).authorize();
assertNotNull(response.getToken());
controller.stop(suiteContext.getAuthServerInfo().getQualifier());
controller.start(suiteContext.getAuthServerInfo().getQualifier());
reconnectAdminClient();
configureSectorIdentifierRedirectUris();
TokenIntrospectionResponse introspectionResponse = authzClient.protection().introspectRequestingPartyToken(response.getToken());
assertTrue(introspectionResponse.getActive());
assertFalse(introspectionResponse.getPermissions().isEmpty());
response = authzClient.authorization(accessToken).authorize();
assertNotNull(response.getToken());
}
use of org.keycloak.authorization.client.AuthzClient in project keycloak by keycloak.
the class GroupPathPolicyTest method testOnlyChildrenPolicy.
@Test
public void testOnlyChildrenPolicy() throws Exception {
RealmResource realm = getRealm();
AuthzClient authzClient = getAuthzClient();
PermissionRequest request = new PermissionRequest("Resource B");
String ticket = authzClient.protection().permission().create(request).getTicket();
try {
authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
fail("Should fail because user is not granted with expected role");
} catch (AuthorizationDeniedException ignore) {
}
GroupRepresentation group = getGroup("/Group A/Group B/Group C");
UserRepresentation user = realm.users().search("kolo").get(0);
realm.users().get(user.getId()).joinGroup(group.getId());
AuthorizationResponse response = authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
try {
authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(ticket));
fail("Should fail because user is not granted with expected role");
} catch (AuthorizationDeniedException ignore) {
}
}
use of org.keycloak.authorization.client.AuthzClient in project keycloak by keycloak.
the class PermissionClaimTest method testClaimsFromDifferentScopePermissions.
@Test
public void testClaimsFromDifferentScopePermissions() throws Exception {
ClientResource client = getClient(getRealm());
AuthorizationResource authorization = client.authorization();
ResourceRepresentation resourceA = new ResourceRepresentation(KeycloakModelUtils.generateId(), "create", "update");
authorization.resources().create(resourceA).close();
ResourceRepresentation resourceB = new ResourceRepresentation(KeycloakModelUtils.generateId(), "create", "update");
authorization.resources().create(resourceB).close();
ScopePermissionRepresentation allScopesPermission = new ScopePermissionRepresentation();
allScopesPermission.setName(KeycloakModelUtils.generateId());
allScopesPermission.addScope("create", "update");
allScopesPermission.addPolicy(claimAPolicy.getName(), claimBPolicy.getName());
authorization.permissions().scope().create(allScopesPermission).close();
ScopePermissionRepresentation updatePermission = new ScopePermissionRepresentation();
updatePermission.setName(KeycloakModelUtils.generateId());
updatePermission.addScope("update");
updatePermission.addPolicy(claimCPolicy.getName());
try (Response response = authorization.permissions().scope().create(updatePermission)) {
updatePermission = response.readEntity(ScopePermissionRepresentation.class);
}
AuthzClient authzClient = getAuthzClient();
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(null, "create", "update");
AuthorizationResponse response = authzClient.authorization("marta", "password").authorize(request);
assertNotNull(response.getToken());
AccessToken rpt = toAccessToken(response.getToken());
Authorization authorizationClaim = rpt.getAuthorization();
List<Permission> permissions = new ArrayList<>(authorizationClaim.getPermissions());
assertEquals(2, permissions.size());
for (Permission permission : permissions) {
Map<String, Set<String>> claims = permission.getClaims();
assertNotNull(claims);
assertThat(claims.get("claim-a"), Matchers.containsInAnyOrder("claim-a", "claim-a1"));
assertThat(claims.get("claim-b"), Matchers.containsInAnyOrder("claim-b"));
assertThat(claims.get("claim-c"), Matchers.containsInAnyOrder("claim-c"));
}
updatePermission.addPolicy(denyPolicy.getName());
authorization.permissions().scope().findById(updatePermission.getId()).update(updatePermission);
response = authzClient.authorization("marta", "password").authorize(request);
assertNotNull(response.getToken());
rpt = toAccessToken(response.getToken());
authorizationClaim = rpt.getAuthorization();
permissions = new ArrayList<>(authorizationClaim.getPermissions());
assertEquals(2, permissions.size());
for (Permission permission : permissions) {
Map<String, Set<String>> claims = permission.getClaims();
assertNotNull(claims);
assertThat(claims.get("claim-a"), Matchers.containsInAnyOrder("claim-a", "claim-a1"));
assertThat(claims.get("claim-b"), Matchers.containsInAnyOrder("claim-b"));
assertThat(claims.get("claim-c"), Matchers.containsInAnyOrder("claim-c"));
assertThat(claims.get("deny-policy"), Matchers.containsInAnyOrder("deny-policy"));
}
}
use of org.keycloak.authorization.client.AuthzClient in project keycloak by keycloak.
the class PermissionClaimTest method testPermissionWithClaimsDifferentPolicies.
@Test
public void testPermissionWithClaimsDifferentPolicies() throws Exception {
ClientResource client = getClient(getRealm());
AuthorizationResource authorization = client.authorization();
ResourceRepresentation resource = new ResourceRepresentation("Resource B");
authorization.resources().create(resource).close();
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName(resource.getName() + " Permission");
permission.addResource(resource.getName());
permission.addPolicy(claimAPolicy.getName(), claimBPolicy.getName());
authorization.permissions().resource().create(permission).close();
PermissionRequest request = new PermissionRequest();
request.setResourceId(resource.getName());
String accessToken = new OAuthClient().realm("authz-test").clientId("test-client").doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient();
String ticket = authzClient.protection().permission().forResource(request).getTicket();
AuthorizationResponse response = authzClient.authorization(accessToken).authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
AccessToken rpt = toAccessToken(response.getToken());
Authorization authorizationClaim = rpt.getAuthorization();
List<Permission> permissions = new ArrayList<>(authorizationClaim.getPermissions());
assertEquals(1, permissions.size());
Map<String, Set<String>> claims = permissions.get(0).getClaims();
assertTrue(claims.containsKey("claim-a"));
assertTrue(claims.containsKey("claim-b"));
}
Aggregations